A long-standing vulnerability in a remote emergency braking system risks derailing the railroad industry. The vulnerability, CVE-2025-1727, which could disrupt operations, was reportedly discovered more than a decade ago and has not been patched because it affects end-of-life (EOL) software, hardware, and applications.
Although this specific vulnerability is unique to the braking systems of the railway industry, EOL software, hardware, and applications are a common source of risk among critical industries and infrastructure. Organizations frequently remain exposed during a prolonged period between the discovery of a vulnerability and the publication of a patch, in this case, at least a dozen years.
Over time, industrial systems and critical infrastructure accumulate technical debt because the expensive and complex devices they operate cannot be easily replaced. These legacy systems almost certainly run EOL software, hardware, or applications; for example, countless operational technology (OT) devices still run Windows XP.
Consequently, organizations must take a proactive approach to vulnerability management that extends beyond just patch management to include comprehensive visibility into the state of devices and continuous monitoring of network traffic to mitigate vulnerabilities that cannot be patched. These insights provide businesses with the context they need to effectively prioritize and respond to threats.
Off the Rails: Understanding End-of-Life Risk
Although CVE-2025-1727 only affects remote emergency braking systems for the railroad industry, understanding how some vendors view security is critical to understanding EOL software, hardware, and application risks, which is universally applicable to all industries.
According to the Cybersecurity and Infrastructure Security Agency (CISA), “Successful exploitation of this vulnerability could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train which may lead to a disruption of operations, or induce brake failure.” These sorts of real-world service interruptions are a real threat. Ransomware attacks have become prolific at causing outages, and the imminent threat of cyberwarfare should have critical infrastructure on high alert.
The Association of American Railroads (AAR) is aware of these vulnerabilities and is updating its standards and replacing the legacy devices. However, the ARR only announced this new protocol in May 2025 and won’t begin the rollout until 2026. In the meantime, roughly 70,000 devices are affected.
It may seem ironic that end-of-life software, hardware, and applications are still in use, but it is relatively common, especially in industrial systems and OT environments where devices remain deployed for decades. Of course, when these devices are in use for 20 to 30 years, or even longer, it is understandable that some vendors may no longer be able to support them, particularly if they rely on third-party operating software that is also no longer supported. Organizations must be aware of these risks, though, so they can appropriately plan.
Full Steam Ahead: Preparing for End-of-Life Migration
The reality is that while organizations plan for critical infrastructure and industrial systems for decades to come, they must also remain flexible enough to adapt to changing business conditions. EOL software, hardware, and applications are a form of these conditions.
The idea of laying down railroad tracks while a train is throttling toward it might suggest a lack of planning, but it also reveals a kernel of truth that could be described as “move fast and break things.” According to Chris Butera, acting executive assistant director for cybersecurity, CISA, “The vulnerability has been understood and monitored by rail sector stakeholders for over a decade…While the vulnerability remains technically significant, CISA has been working with industry partners to drive mitigation strategies.”
CISA’s recommendations for CVE-2025-1727 apply to every industry: minimize network exposure for industrial devices and systems, isolate them from business systems, and protect them with network security. These are mitigation techniques to be employed until remediation becomes available.
Butera notes that “fixing this issue requires changes to a standards-enforced protocol, and that work is currently underway.” In the meantime, CISA reminds organizations to perform a proper impact analysis and risk assessment prior to deploying defensive networks.
A remote emergency braking system vulnerability is not just a railroad industry problem; it highlights a much broader issue with EOL software, hardware, and applications. However, comprehensive and continuous visibility into complex networks can provide business context into vulnerabilities that can inform how they are prioritized. In this way, organizations can also extend these benefits across their entire attack surface and compliance programs with cyber exposure management.
